Abstract: A cybersecurity service assesses, scores, and/or prioritizes activities associated with a directory service. When the directory service is requested to change a directory service assignment, the directory service may first request a verdict from the cybersecurity service. The cybersecurity service may use profiling and/or machine learning to predict directory service assignments. The cybersecurity service may then score and prioritize requests to change/update directory service assignments. Small deviations from predicted directory service assignments, for example, may indicate harmless/normal directory service activity. Larger deviations, though, may indicate abnormal directory service activity. Larger deviations may even indicate malicious directory service activity, such as permission escalation and cyberbreaches. Scoring and prioritization allows for resource allocation and timely mitigations by human experts.

Abstract: A cybersecurity event validation service provides a user-friendly scheme for detecting a cyberattack or threat. The cybersecurity event validation service accepts very simple, high-level, user-friendly descriptions of the cyberattack or threat. A user of the cybersecurity event validation service thus need not input detailed hardware/software events that specify the potential cyberattack or threat. The cybersecurity event validation service, instead, validates the user's very simple descriptions for correctness. If the user's very simple descriptions conform to basic rules or requirements, then the cybersecurity event validation service elegantly fills in the deep hardware and software details using context and inferences. The cybersecurity event validation service thus elaborates and enhances the user's very simple descriptions by supplying specific hardware/software details needed to detect the cyberattack or threat.

Abstract: A deterministic finite automata (DFA) is used by an extended Berkley packet filter (or “eBPF”) to monitor file system operations and non-file system operations. The DFA is stored as an eBPF map. Before a kernel of an operating system executes any file system operation, the kernel runs an eBPF program that queries the DFA for a filename associated with the system operation. The DFA represents safe/suspicious filenames associated with computer files. If the filename matches the DFA, then the kernel notifies a cybersecurity agent. The cybersecurity agent may then block or allow the file system operation, depending on whether the filename is safe or suspicious. The DFA stored in the extended BPF thus greatly improves computer functioning by very quickly and simply identifying safe/suspicious operations.

Abstract: A system and method of a localization middleware for localizing datasets using textual replacement techniques. The method includes receiving a request for a particular dataset that is stored in a data store, the particular dataset includes a plurality of textual strings in a non-regional version. The method includes determining a regional version for the particular dataset based on the request. The method includes identifying a library of translations associated with the non-regional version and the regional version. The method includes performing, by a processing device based on the library of translations and the particular dataset, a string replacement procedure to generate a localized dataset including one or more textual strings in the regional version.

Abstract: Techniques for identifying data usable for generating security recommendations are discussed herein. A system can determine unique identifiers for events associated with a data stream and determine a frequency of different events occurring in the data stream. The system can generate recommendation data usable for defending the data stream from future malicious events based on a number of similar events occurring over a time period.

Abstract: Techniques and systems for a security service system configured with a sensor component including a machine learning (ML) malware classifier to perform behavioral detection on host devices. The security service system may deploy a sensor component to monitor behavioral events on a host device. The sensor component may generate events data corresponding to monitored operations targeted by malware. The system may map individual events from events data onto a behavioral activity pattern and generate process trees. The system may extract behavioral artifacts to build a feature vector used for malware classification and generate a machine learning (ML) malware classifier. The sensor component may use the ML malware classifier to perform asynchronous behavioral detection on a host device and process system events for malware detection.

Abstract: Automated source code similarity greatly improves computer functioning. Any source code file is evaluated with respect to publicly-available open source code. If the source code file is similar to the publicly-available open source code, then a computer system may be approved or authorized to perform any hardware/software operations associated with the source code file. Should, however, the source code file be dissimilar to the publicly-available open source code, then the hardware/software operations are blocked to prevent disclosure of the source code file. For example, read/write/input/output operations are blocked and/or network interfaces are disabled. Source code similarity thus thwarts suspicious activities that indicate misappropriation or exfiltration of the source code file.

Abstract: A security agent configured to initiate a security agent component as a hypervisor for a computing device is described herein. The security agent component may change a value of a processor configuration register, such as a Model Specific Register (MSR), in order to cause system calls to be redirected to the security agent, and may set an intercept for instructions for performing read operations on the processor configuration register so that a process, thread, or component different from the processor of the computing device may receive the original value of the processor configuration register instead of an updated value of the processor configuration register. The security agent component may also be configured to generate interrupts to offload task execution from the hypervisor to a security agent executing as a kernel-level component.

Abstract: Nodal redundancy storage decisions efficiently distribute redundant copies of electronic data. A cloud computing network establishes a policy that governs how and where the redundant copies are stored within the cloud computing network (such as by region, zone, and cluster targets). Each cloud computing node is then delegated, with autonomy, to manage a redundant copy to achieve the policy established by the cloud computing network. Each cloud computing node may independently and individually decide to store, to not store, or to evict the redundant copy without consensus of other nodes and without consultation or instruction from the cloud computing network. The nodal redundancy storage decisions are thus decentralized from region, zone, and cluster management.

Abstract: Embedding entity matching greatly improves computer functioning. Different datasets are matched to a common entity using entity embeddings generated by a machine learning entity embedding model. The entity embeddings are converted to entity similarities, thus revealing the datasets associated with the common entity. Efficient matrix operations further improve computer functioning. Embedding entity matching thus quickly identifies common employee records and user accounts using less hardware resources, less electricity, and less time.

Abstract: Nodal work assignments efficiently distribute server work items, such as storing redundant copies of electronic data. A cloud computing network establishes a policy that governs how and where the redundant copies are stored cloud computing nodes (such as by region, zone, and cluster targets). The cloud computing network repeatedly or continuously re-evaluates the work assignments based on replication assignment skews and/or leadership penalties. The nodal work assignments thus minimize hardware and software operations, network traffic, and electrical energy consumption.

Abstract: Methods and systems for injected byte buffer data classification are disclosed. According to an implementation, a security agent can detect process injection events, gather byte buffer data associated with the process injection events, and send the byte buffer data to a security service comprising a byte buffer classification function. The byte buffer classification function can be implemented as a trained transformer type neural network machine learning model, which can analyze the byte buffer data and generate a classification output comprising a probability that the byte buffer data is associated with a malicious process injection.

Abstract: A cybersecurity service protects endpoint devices from cybersecurity attacks. The cybersecurity service deploys cybersecurity attack feature vectors to agents in the field. The cybersecurity attack feature vectors are created in the cloud to efficiently describe observed groups of cybersecurity attacks. One method to assemble these is to generate clustering centroids for the observed groups. Each agent monitors its host according to the cybersecurity attack feature vectors. Each agent monitors its host's event behaviors and locally extracts an event behavior feature vector. The agent compares the cybersecurity attack feature vectors to the event behavior feature vector and, if similarity is determined, then the agent determines that the host's event behaviors are evidence of a cybersecurity attack. The agent may implement threat procedures, such as suspending/terminating the event behaviors and generating alerts.

Abstract: A digital security system can store data associated with entities in resolver trees. If the digital security system determines that two resolver trees are likely representing the same entity, the digital security system can use a merge operation to merge the resolver trees into a single resolver tree that represents the entity. The single resolver tree can include a merge node indicating a merge identifier of the merge operation. Nodes containing information merged into the resolver tree from another resolver tree during the merge operation can be tagged with the corresponding merge identifier. Accordingly, if the merge operation is to be undone, for instance if subsequent information indicates that the entries are likely separate entities, the resolver tree can be unmerged and the nodes tagged with the merge identifier can be restored to a separate resolver tree.

Abstract: The present disclosure provides an approach of providing, to an artificial intelligence (AI) model, a malicious script that includes a malicious behavior. The AI model is configured to modify software code of the malicious script to produce modified software code that obfuscates the malicious behavior. The approach produces, by a processing device using the AI model, an adversarial script that includes the modified software code that obfuscates the malicious behavior. In turn, the approach initiates a malware detector to test the adversarial script.

Abstract: A distributed security system can include instances of a compute engine that can execute either locally in security agents on client devices or as cloud instances in a security network. Event data can be processed by elements of the distributed security system according to centrally-defined ontological definitions and/or configurations. Bounding managers of local security agents can control how much event data is sent to the security network. A storage engine in the security network can store event data received from client devices, can route event data to other elements of the security network, including cloud instances of the compute engine. An experimentation engine of the security network can also at least temporarily adjust other elements of the distributed security system during experiments or tests.

Abstract: A cloud-based cyber security detection prediction service pre-screens cyber security detections reported by endpoint client devices. The endpoint client devices report the cyber security detections to a cloud-computing environment providing the cloud-based cyber security detection prediction service. The cyber security detections are compared to a cyber security assessment profile generated by a machine learning model trained using human expert cyber security assessments. The human expert cyber security assessments were applied by human cyber security subject matter experts scrutinizing historical detection data. The cloud-based cyber security detection prediction service thus provides a much faster cyber security prediction based on human expertise.

Abstract: Nodal work assignments efficiently distribute server work items, such as storing redundant copies of electronic data. A cloud computing network establishes a policy that governs how and where the redundant copies are stored cloud computing nodes (such as by region, zone, and cluster targets). The cloud computing network repeatedly or continuously re-evaluates the work assignments based on replication assignment skews and/or leadership penalties. The nodal work assignments thus minimize hardware and software operations, network traffic, and electrical energy consumption.

Abstract: A rules-based malware detection and assessment service pre-screens malware events reported by endpoint client devices. The endpoint client devices report the malware events to a cloud-computing environment providing the malware detection and assessment service. The malware events are compared to logical rules specifying malware and safe activities. Moreover, the malware detection and assessment service maintains a comprehensive, historical database that stores logs and tracks each malware event. Any new malware events are compared to the historical database. Any matching historical entry indicates a duplicate or repetitive malware detection, so the historical detection and assessment may be retrieved and suggested. The rules-based malware detection and assessment service thus provides a much faster and simpler resolution that easily scales to the ever-increasing volume of malware reports.

Abstract: A first message structure is selected from a first subset of a plurality of message structures based on a size of a message payload and a message type of the message payload. Each of the first subset of the plurality of message structures has a different size. A size of the first message structure is greater than or equal to the size of the message payload. A first request is transmitted to an application programming interface (API) utilizing the size of the first message structure. In response to transmitting the first request to the API, a reference is received to a buffer structure. The message payload is copied into the buffer structure using the reference to the buffer structure.